Using Signature Generators
OBS provides graphical tools to make it easier to generate signatures.
Signature Carrying Method |
Signature Generator |
---|---|
Using an authorization header |
|
Using a pre-signed URL |
Procedure
Use the signature generator as follows:
In an Authorization Header
- Open the signature generator.
- Enter the AK and SK. For details, see Access Keys.
- Configure StringToSign parameters.
Table 2 Parameter description Parameter
Type
Mandatory (Yes/No)
Description
HTTP-Verb
String
Yes
Explanation:
The HTTP method used to make a request (also called an operation). For RESTful APIs, HTTP methods include PUT, GET, DELETE, and other operations. Select a method based on the API to be called.
Restrictions:
None
Value range:
- GET: Requests that a server return a specific resource, for example, obtaining a bucket list or downloading an object.
- PUT: Requests that a server update a specific resource, for example, creating a bucket or uploading an object.
- POST: Requests that a server add a resource or perform special operations such as initiating a multipart upload or assembling parts.
- DELETE: Requests that a server delete a specific resource such as an object.
- HEAD: Requests that a server return the description of a specific resource, for example, obtaining object metadata.
- OPTIONS (not supported for signature generators): Requests that a server check whether the user has the permissions to perform an operation on a resource. CORS must be configured for the bucket.
Default value:
None
Content-MD5
String
No
Explanation:
The base64-encoded 128-bit MD5 digest of the request body based on RFC 1864. This header can be used as a message integrity check to verify that the data was not tampered with in transit.
Restrictions:
None
Value range:
0–24 characters (0 included, 24 excluded)
Default value:
This parameter is left blank by default.
Content-Type
String
No
Explanation:
The file type of an object—for example, text/plain—which determines what format and encoding a browser uses to read the file.
Restrictions:
None
Value range:
See What Is Content-Type (MIME)?
Default value:
If this header is not included in the request, an empty string is used. For details, see Table 4. If this header is contained but not specified, its value is automatically specified based on the file name extension. If the file has no extension, application/octet-stream is used by default.
Date
String
Yes
Explanation:
When a request was made. If the value of Date is over 15 minutes away from the current server time, the server returns 403, indicating that the request is invalid.
Restrictions:
- The value must be a GMT in RFC 1123 format.
- If Date and x-obs-date headers are both specified, x-obs-date applies.
Value range:
None
Default value:
None
CanonicalizedHeaders
String
No
Explanation:
Additional headers defined by OBS that are prefixed with x-obs-, for example, x-obs-date, x-obs-acl, and x-obs-meta-*. For each additional header, separate its name and value by a colon (:). In x-obs-storage-class:STANDARD, for example, x-obs-storage-class is the header name, and STANDARD is the header value.
Restrictions:
- A header name cannot contain non-ASCII or unrecognizable characters, which are also not recommended for header values. If such characters are necessary, they must be encoded or decoded in URL or Base64 on the client side, because the server side does not perform any decoding.
- If a header has multiple values, these values need to be written together under their shared header name, separated by commas (,). For example, x-obs-meta-name:name1 and x-obs-meta-name:name2 must be combined into x-obs-meta-name:name1,name2.
- You do not need to handle the case conversion or lexicographical sorting of header names, which are automatically handled by the software.
Value range:
Determined by the API to be called
Default value:
This parameter is left blank by default.
CanonicalizedResource
String
Yes
Explanation:
OBS resources specified in an HTTP request. The structure is as follows:
CanonicalizedResource = /bucket-name/object-name?sub-resource
For example, if you want to call GetObject to obtain version xxx of object object-test stored in bucket-test and change Content-Type to text/plain, then CanonicalizedResource would be as follows:
/bucket-test/object-test?response-content-type=text/plain&versionId=xxx
- bucket-name:
If the bucket does not have a custom domain name associated, use its own name.
Otherwise, use its associated custom domain name. In /obs.ccc.com/object, for example, obs.ccc.com is a custom bucket domain name.
If an API operation does not require a bucket to be specified, for example, listing all buckets under an account, omit both the bucket name and object name by using, for example, /.
- object-name:
The name of the required object. Follow the object naming rules.
- sub-resource: Arrange multiple sub-resources in ascending lexicographic order and use ampersands (&) to separate them.
sub-resource identifiers: CDNNotifyConfiguration, acl, append, attname, backtosource, cors, customdomain, delete, deletebucket, directcoldaccess, encryption, inventory, length, lifecycle, location, logging, metadata, modify, name, notification, partNumber, policy, position, quota, rename, replication, restore, storageClass, storagePolicy, storageinfo, tagging, torrent, truncate, uploadId, uploads, versionId, versioning, versions, website,x-obs-security-token, object-lock, retention
Response header sub-resources: response-cache-control, response-content-disposition, response-content-encoding, response-content-language, response-content-type, response-expires
Image processing sub-resources: x-image-process, x-image-save-bucket, x-image-save-object
Restrictions:
A sub-resource usually has only one value. Listing multiple values for the same resource key—for example, key=value1&key=value2—is not recommended. If you do so, only the first sub-resource value is used to calculate the signature.
Value range:
None
Default value:
If this parameter is not specified, / is used.
- Click Generate Signed Authorization Header.
In a Pre-signed URL
- Open the signature generator.
- Enter the AK and SK. For details, see Access Keys.
- Configure StringToSign parameters.
Table 3 Parameter description Parameter
Type
Mandatory (Yes/No)
Description
HTTP-Verb
String
Yes
Explanation:
The HTTP method used to make a request (also called an operation). For RESTful APIs, HTTP methods include PUT, GET, DELETE, and other operations. Select a method based on the API to be called.
Restrictions:
None
Value range:
- GET: Requests that a server return a specific resource, for example, obtaining a bucket list or downloading an object.
- PUT: Requests that a server update a specific resource, for example, creating a bucket or uploading an object.
- POST: Requests that a server add a resource or perform special operations such as initiating a multipart upload or assembling parts.
- DELETE: Requests that a server delete a specific resource such as an object.
- HEAD: Requests that a server return the description of a specific resource, for example, obtaining object metadata.
- OPTIONS (not supported for signature generators): Requests that a server check whether the user has the permissions to perform an operation on a resource. CORS must be configured for the bucket.
Default value:
None
Content-MD5
String
No
Explanation:
The base64-encoded 128-bit MD5 digest of the request body based on RFC 1864. This header can be used as a message integrity check to verify that the data was not tampered with in transit.
Restrictions:
None
Value range:
0–24 characters (0 included, 24 excluded)
Default value:
This parameter is left blank by default.
Content-Type
String
No
Explanation:
The file type of an object—for example, text/plain—which determines what format and encoding a browser uses to read the file.
Restrictions:
None
Value range:
See What Is Content-Type (MIME)?
Default value:
If this header is not contained in the request, an empty string is used. For details, see Table 4. If this header is contained but not specified, its value is automatically specified based on the file name extension. If the file has no extension, application/octet-stream is used by default.
Expires
String
Yes
Explanation:
When a pre-signed URL expires, measured as a UNIX timestamp (how many seconds elapsed since 00:00:00 on January 1, 1970). After the specified time elapses, the URL expires.
Restrictions:
None
Value range:
Current time<Expires<20 years after the current time. Unit: second.
NOTE:You just need to specify a validity period for the signature in the signature generator, which will automatically produce a Unix timestamp based on the current time. For example, to configure a signature to be valid for 10 minutes, you specify 600 for Expires.
Default value:
None
CanonicalizedHeaders
String
No
Explanation:
Additional headers defined by OBS that are prefixed with x-obs-, for example, x-obs-date, x-obs-acl, and x-obs-meta-*. For each additional header, separate its name and value by a colon (:). In x-obs-storage-class:STANDARD, for example, x-obs-storage-class is the header name, and STANDARD is the header value.
Restrictions:
- A header name cannot contain non-ASCII or unrecognizable characters, which are also not recommended for header values. If such characters are necessary, they must be encoded or decoded in URL or Base64 on the client side, because the server side does not perform any decoding.
- If a header has multiple values, these values need to be written together under their shared header name, separated by commas (,). For example, x-obs-meta-name:name1 and x-obs-meta-name:name2 must be combined into x-obs-meta-name:name1,name2.
- You do not need to handle the case conversion or lexicographical sorting of header names, which are automatically handled by the software.
Value range:
Determined by the API to be called
Default value:
This parameter is left blank by default.
CanonicalizedResource
String
Yes
Explanation:
OBS resources specified in an HTTP request. The structure is as follows:
CanonicalizedResource = /bucket-name/object-name?sub-resource
For example, if you want to call GetObject to obtain version xxx of object object-test stored in bucket-test and change Content-Type to text/plain, then CanonicalizedResource would be as follows:
/bucket-test/object-test?response-content-type=text/plain&versionId=xxx
- bucket-name:
If the bucket does not have a custom domain name associated, use its own name.
Otherwise, use its associated custom domain name. In /obs.ccc.com/object, for example, obs.ccc.com is a custom bucket domain name.
If an API operation does not require a bucket to be specified, for example, listing all buckets under an account, omit both the bucket name and object name by using, for example, /.
- object-name:
The name of the required object. Follow the object naming rules.
- sub-resource: Arrange multiple sub-resources in ascending lexicographic order and use ampersands (&) to separate them.
sub-resource identifiers: CDNNotifyConfiguration, acl, append, attname, backtosource, cors, customdomain, delete, deletebucket, directcoldaccess, encryption, inventory, length, lifecycle, location, logging, metadata, modify, name, notification, partNumber, policy, position, quota, rename, replication, restore, storageClass, storagePolicy, storageinfo, tagging, torrent, truncate, uploadId, uploads, versionId, versioning, versions, website,x-obs-security-token, object-lock, retention
Response header sub-resources: response-cache-control, response-content-disposition, response-content-encoding, response-content-language, response-content-type, response-expires
Image processing sub-resources: x-image-process, x-image-save-bucket, x-image-save-object
Restrictions:
A sub-resource usually has only one value. Listing multiple values for the same resource key—for example, key=value1&key=value2—is not recommended. If you do so, only the first sub-resource value is used to calculate the signature.
Value range:
None
Default value:
If this parameter is not specified, / is used.
- Click Generate Signed Query URL.
Addressing a Signature Mismatch
During an OBS API call, if the following error is reported:
Status code: 403 Forbidden
Error code: SignatureDoesNotMatch
Error message: The request signature we calculated does not match the signature you provided. Check your key and signing method.
Handle the problem by referring to Why Don't the Signatures Match?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot